diff options
| author | Justus Winter <4winter@informatik.uni-hamburg.de> | 2014-03-30 19:20:05 +0200 |
|---|---|---|
| committer | Justus Winter <4winter@informatik.uni-hamburg.de> | 2014-03-30 19:20:05 +0200 |
| commit | 04fc869149c3ae10d3835049738818e68174d05d (patch) | |
| tree | a65edd7f02ab50028d5d8de659620ded21ac8df3 | |
| parent | bdc34d0383ffd80bc76b24619b26df29307243e0 (diff) | |
Add portseal
| -rw-r--r-- | Makefile | 38 | ||||
| -rw-r--r-- | README | 57 | ||||
| -rwxr-xr-x | bin/portseal | 247 | ||||
| -rw-r--r-- | libportseal/Makefile | 12 | ||||
| -rw-r--r-- | libportseal/jhash.h | 256 | ||||
| -rw-r--r-- | libportseal/portseal.c | 271 | ||||
| -rw-r--r-- | libportseal/portseal.h | 73 | ||||
| -rw-r--r-- | share/portseal/portseal.cocci | 117 | ||||
| -rw-r--r-- | test/Makefile | 8 | ||||
| -rw-r--r-- | test/test.c | 102 |
10 files changed, 1181 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..28a9d56 --- /dev/null +++ b/Makefile @@ -0,0 +1,38 @@ +# Copyright (c) 2014 Justus Winter <4winter@informatik.uni-hamburg.de> +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +all: libportseal libpinniped + +.PHONY: libportseal +libportseal: + $(MAKE) -C "$@" + +.PHONY: libpinniped +libpinniped: + $(MAKE) -C "$@" + +.PHONY: check +check: all + rm -rf -- test-obj + cp -a test test-obj + (cd test-obj && ../bin/portseal patch) + $(MAKE) -C test-obj + bin/pinniped test-obj/test + (cd test-obj && ../bin/portseal unpatch) + +.PHONY: clean +clean: + $(MAKE) -C libportseal clean + $(MAKE) -C libpinniped clean + rm -rf -- test-obj @@ -4,6 +4,63 @@ portseal - tools to locate port management bugs This is a collection of tools to find bugs related to Mach port handling like port leaks at runtime. +Requirements +------------ + +portseal is written in python and leverages coccinelle for the source +transformation. libportseal requires liburcu. + +How to use it +------------- + +Use "portseal patch" within the source of your target code to patch +it, "portseal unpatch" to undo the change. "make check" demonstrates +how to use portseal and pinniped to find both port leaks and wrong use +of port management functions: + +% make check +rm -rf -- test-obj +cp -a test test-obj +(cd test-obj && ../bin/portseal patch) +[...] +bin/pinniped test-obj/test +dosth looked up 146 +test-obj/test: leaked send right 146 +test-obj/test[0x80489c3] +test-obj/test[0x8048d05] +/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c] +test-obj/test[0x8048811] +dosthelse looked up 148 +test-obj/test: leaked send right 148 +test-obj/test[0x8048d9d] +/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c] +test-obj/test[0x8048811] +dosthglobal looked up 153 +test-obj/test: leaked send right 153 +test-obj/test[0x8048dc2] +/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c] +test-obj/test[0x8048811] +allocated receive port 154 +test-obj/test: leaked receive right 154 +test-obj/test[0x8048c36] +test-obj/test[0x8048dcc] +/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c] +test-obj/test[0x8048811] +dolookupcwd looked up 108 +test-obj/test: mach_port_deallocate (1, 12345): (os/kern) invalid name +test-obj/test[0x8048ce0] +test-obj/test[0x8048dd6] +/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c] +test-obj/test[0x8048811] +test-obj/test: mach_port_destroy (1, 54321): (os/kern) invalid name +test-obj/test[0x8048cf5] +test-obj/test[0x8048dd6] +/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c] +test-obj/test[0x8048811] +% addr2line -e test-obj/test 0x8048c36 +.../portseal/test-obj/test.c:65 + + libpinniped ----------- diff --git a/bin/portseal b/bin/portseal new file mode 100755 index 0000000..bcb39b8 --- /dev/null +++ b/bin/portseal @@ -0,0 +1,247 @@ +#!/usr/bin/env python +from __future__ import print_function + +# Copyright (c) 2014 Justus Winter <4winter@informatik.uni-hamburg.de> +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +import difflib +import logging as log +import os +import re +import subprocess +import string +import sys + +log.basicConfig(format='%(levelname)s:%(message)s', level=log.DEBUG) + +base_path = os.path.dirname (os.path.dirname (os.path.abspath (sys.argv[0]))) +template_path = os.path.join (base_path, "share", "portseal") +state_path = os.path.abspath (".portseal") +portseal_h = os.path.join (base_path, "libportseal", "portseal.h") +portseal_L = os.path.join (base_path, "libportseal") + +def pkg_config (pkg, what): + return subprocess.check_output (["pkg-config", "--"+what, pkg]).strip () + +ldflags = "-L{0} -Wl,-rpath={0} -lportseal -ldl {1} {2} {3}".format ( + portseal_L, + pkg_config ("liburcu", "libs"), + pkg_config ("liburcu-cds", "libs"), + pkg_config ("liburcu-mb", "libs"), +) + +def template (x): + return os.path.join (template_path, x) + +def state (x): + return os.path.join (state_path, x) + +def make_state_dir (): + if not os.path.exists (state_path): + os.mkdir (state_path) + +def is_patched (): + return os.path.exists (state ("portseal.patch")) + +def template_apply (name, mapping, sink=None, **overlay): + log.debug ("applying template {0}".format (name)) + with open (template (name)) as source: + t = source.read () + + m = mapping.copy () + m.update (overlay) + for key, value in sorted (m.items (), + cmp=lambda a, b: cmp (len (a[0]), len (b[0])), + reverse=True): + t = t.replace (key, value) + + if sink: + sink.write (t) + else: + with open (state (name), "w") as sink: + sink.write (t) + +def spatch (cocci): + includes = list () + for i in (args.I or ["/usr/include"]): + includes.extend (("-I", i)) + + c = ["spatch", + "--no-loops", + "--no-gotos", + "--smpl-spacing", + "--include-headers", + "--sp-file", cocci, + "-dir", ".", + ] + includes + log.debug ("executing {0}".format (c)) + + return subprocess.check_output (c) + +def do_wrap_hack(s, r = False): + wraphack = 'PORTSEAL_WRAP_HACK' + if r: + wraphack += '_R' + + def walk (s, i, direction, p): + while p != 0: + if s[i] == "(": + p += 1 + elif s[i] == ")": + p -= 1 + i += direction + return i + + def skip_ws (s, i, direction): + while 0 < i < len (s) - 1: + if string.strip (s[i]): + break + i += direction + return i + + def skip_nws (s, i, direction): + while 0 < i < len (s) - 1: + if not string.strip (s[i]): + break + i += direction + return i + + while wraphack in s: + i = s.index(wraphack) + start = skip_nws (s, skip_ws (s, walk (s, i, -1, -1), -1), -1) + id_start = skip_ws (s, i + len (wraphack), 1) + id_end = walk (s, id_start + 1, 1, 1) + ident = s[id_start:id_end] + end = walk (s, id_end, 1, 1) + s = "{0} PORTSEAL_WRAP{1}({2}{3}, {4}){5}".format ( + s[:start], + "_R" if r else "", + s[start:i], + s[id_start:end], + ident, + s[end:]) + + return s + +def patch (args): + if is_patched (): + return + + make_state_dir () + + mapping = dict () + with open (state ("portseal.cocci"), "w") as sink: + template_apply ("portseal.cocci", mapping, sink) + + cocci_patch = spatch (state ("portseal.cocci")) + + patches = list () + patches.append (cocci_patch) + + # add include to every file the cocci patch touched + for l in cocci_patch.split ("\n"): + if not l.startswith ("--- a/"): + continue + patches.append (make_patch ( + l[6:], + lambda a: "#include \"{0}\"\n#line 1\n{1}".format (portseal_h, a))) + + ldflags_re = re.compile (r"^(\s*LDFLAGS\s*=.*)(\\?)$", re.M) + for dirpath, dirs, files in os.walk("."): + if dirpath.endswith (".portseal"): + continue + for f in filter (lambda f: "Make" in f, files): + patches.append ( + make_patch ( + os.path.join (dirpath, f), + lambda m: + ldflags_re.sub (r"\1 {0} \2".format (ldflags), m, 0))) + + with open(state ("portseal.patch"), "w") as h: + h.write ("\n".join (patches)) + + subprocess.check_call ( + ["patch", "-p1"], + stdin=open (state ("portseal.patch")), + ) + + # wraphack + wraphack_patches = list () + for dirpath, dirs, files in os.walk("."): + if dirpath.endswith (".portseal"): + continue + + #continue + + for f in filter (lambda f: f[-2:] in ('.c', '.h'), files): + try: + wraphack_patches.append ( + make_patch ( + os.path.join (dirpath, f), + lambda m: do_wrap_hack (do_wrap_hack (m, True)))) + except IOError: + pass + + with open(state ("wraphack.patch"), "w") as h: + h.write ("\n".join (wraphack_patches)) + + subprocess.check_call ( + ["patch", "-p1"], + stdin=open (state ("wraphack.patch")), + ) + + +def make_patch (filename, mutator): + a = open (filename).read () + b = mutator (a) + p = os.path.join ("a", filename) + def split(x): + return [l+"\n" for l in x.split ("\n")] + return "".join (difflib.unified_diff (split (a), + split (b), + fromfile=p, + tofile=p)) +def unpatch (args): + if not is_patched (): + return + + subprocess.check_call ( + ["patch", "-p1", "-R"], + stdin=open (state ("wraphack.patch")), + ) + + subprocess.check_call ( + ["patch", "-p1", "-R"], + stdin=open (state ("portseal.patch")), + ) + + os.remove (state ("portseal.patch")) + +import argparse + +parser = argparse.ArgumentParser() +subparsers = parser.add_subparsers(title='subcommands', + description='valid subcommands', + help='additional help') + +parser_patch = subparsers.add_parser('patch') +parser_patch.set_defaults(func=patch) +parser_patch.add_argument('-I', metavar='DIR', action="append", + help='add include directory') + +parser_unpatch = subparsers.add_parser('unpatch') +parser_unpatch.set_defaults(func=unpatch) + +args = parser.parse_args() +sys.exit(args.func(args)) diff --git a/libportseal/Makefile b/libportseal/Makefile new file mode 100644 index 0000000..2e2cc5e --- /dev/null +++ b/libportseal/Makefile @@ -0,0 +1,12 @@ +USE_PKG = liburcu liburcu-cds liburcu-mb + +CFLAGS = -std=gnu99 -Wall -ggdb \ + $(foreach lib,$(USE_PKG),$(shell pkg-config --cflags $(lib))) +LDFLAGS = -rdynamic -ldl \ + -L. -lportseal \ + $(foreach lib,$(USE_PKG),$(shell pkg-config --libs $(lib))) + +all: libportseal.so + +libportseal.so: portseal.o + gcc -shared -o "$@" "$<" diff --git a/libportseal/jhash.h b/libportseal/jhash.h new file mode 100644 index 0000000..673989d --- /dev/null +++ b/libportseal/jhash.h @@ -0,0 +1,256 @@ +#ifndef _JHASH_H +#define _JHASH_H + +/* + * jhash.h + * + * Example hash function. + * + * Copyright 2009-2012 - Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca> + * + * THIS MATERIAL IS PROVIDED AS IS, WITH ABSOLUTELY NO WARRANTY EXPRESSED + * OR IMPLIED. ANY USE IS AT YOUR OWN RISK. + * + * Permission is hereby granted to use or copy this program for any + * purpose, provided the above notices are retained on all copies. + * Permission to modify the code and to distribute modified code is + * granted, provided the above notices are retained, and a notice that + * the code was modified is included with the above copyright notice. + */ + +/* + * Hash function + * Source: http://burtleburtle.net/bob/c/lookup3.c + * Originally Public Domain + */ + +#define rot(x, k) (((x) << (k)) | ((x) >> (32 - (k)))) + +#define mix(a, b, c) \ +do { \ + a -= c; a ^= rot(c, 4); c += b; \ + b -= a; b ^= rot(a, 6); a += c; \ + c -= b; c ^= rot(b, 8); b += a; \ + a -= c; a ^= rot(c, 16); c += b; \ + b -= a; b ^= rot(a, 19); a += c; \ + c -= b; c ^= rot(b, 4); b += a; \ +} while (0) + +#define final(a, b, c) \ +{ \ + c ^= b; c -= rot(b, 14); \ + a ^= c; a -= rot(c, 11); \ + b ^= a; b -= rot(a, 25); \ + c ^= b; c -= rot(b, 16); \ + a ^= c; a -= rot(c, 4); \ + b ^= a; b -= rot(a, 14); \ + c ^= b; c -= rot(b, 24); \ +} + +#if (BYTE_ORDER == LITTLE_ENDIAN) +#define HASH_LITTLE_ENDIAN 1 +#else +#define HASH_LITTLE_ENDIAN 0 +#endif + +/* + * + * hashlittle() -- hash a variable-length key into a 32-bit value + * k : the key (the unaligned variable-length array of bytes) + * length : the length of the key, counting by bytes + * initval : can be any 4-byte value + * Returns a 32-bit value. Every bit of the key affects every bit of + * the return value. Two keys differing by one or two bits will have + * totally different hash values. + * + * The best hash table sizes are powers of 2. There is no need to do + * mod a prime (mod is sooo slow!). If you need less than 32 bits, + * use a bitmask. For example, if you need only 10 bits, do + * h = (h & hashmask(10)); + * In which case, the hash table should have hashsize(10) elements. + * + * If you are hashing n strings (uint8_t **)k, do it like this: + * for (i = 0, h = 0; i < n; ++i) h = hashlittle(k[i], len[i], h); + * + * By Bob Jenkins, 2006. bob_jenkins@burtleburtle.net. You may use this + * code any way you wish, private, educational, or commercial. It's free. + * + * Use for hash table lookup, or anything where one collision in 2^^32 is + * acceptable. Do NOT use for cryptographic purposes. + */ +static +uint32_t hashlittle(const void *key, size_t length, uint32_t initval) +{ + uint32_t a, b, c; /* internal state */ + union { + const void *ptr; + size_t i; + } u; + + /* Set up the internal state */ + a = b = c = 0xdeadbeef + ((uint32_t)length) + initval; + + u.ptr = key; + if (HASH_LITTLE_ENDIAN && ((u.i & 0x3) == 0)) { + const uint32_t *k = (const uint32_t *) key; /* read 32-bit chunks */ + + /*------ all but last block: aligned reads and affect 32 bits of (a,b,c) */ + while (length > 12) { + a += k[0]; + b += k[1]; + c += k[2]; + mix(a, b, c); + length -= 12; + k += 3; + } + + /*----------------------------- handle the last (probably partial) block */ + /* + * "k[2]&0xffffff" actually reads beyond the end of the string, but + * then masks off the part it's not allowed to read. Because the + * string is aligned, the masked-off tail is in the same word as the + * rest of the string. Every machine with memory protection I've seen + * does it on word boundaries, so is OK with this. But VALGRIND will + * still catch it and complain. The masking trick does make the hash + * noticably faster for short strings (like English words). + */ +#ifndef VALGRIND + + switch (length) { + case 12: c+=k[2]; b+=k[1]; a+=k[0]; break; + case 11: c+=k[2]&0xffffff; b+=k[1]; a+=k[0]; break; + case 10: c+=k[2]&0xffff; b+=k[1]; a+=k[0]; break; + case 9 : c+=k[2]&0xff; b+=k[1]; a+=k[0]; break; + case 8 : b+=k[1]; a+=k[0]; break; + case 7 : b+=k[1]&0xffffff; a+=k[0]; break; + case 6 : b+=k[1]&0xffff; a+=k[0]; break; + case 5 : b+=k[1]&0xff; a+=k[0]; break; + case 4 : a+=k[0]; break; + case 3 : a+=k[0]&0xffffff; break; + case 2 : a+=k[0]&0xffff; break; + case 1 : a+=k[0]&0xff; break; + case 0 : return c; /* zero length strings require no mixing */ + } + +#else /* make valgrind happy */ + { + const uint8_t *k8; + + k8 = (const uint8_t *) k; + switch (length) { + case 12: c+=k[2]; b+=k[1]; a+=k[0]; break; + case 11: c+=((uint32_t) k8[10])<<16; /* fall through */ + case 10: c+=((uint32_t) k8[9])<<8; /* fall through */ + case 9 : c+=k8[8]; /* fall through */ + case 8 : b+=k[1]; a+=k[0]; break; + case 7 : b+=((uint32_t) k8[6])<<16; /* fall through */ + case 6 : b+=((uint32_t) k8[5])<<8; /* fall through */ + case 5 : b+=k8[4]; /* fall through */ + case 4 : a+=k[0]; break; + case 3 : a+=((uint32_t) k8[2])<<16; /* fall through */ + case 2 : a+=((uint32_t) k8[1])<<8; /* fall through */ + case 1 : a+=k8[0]; break; + case 0 : return c; + } + } +#endif /* !valgrind */ + + } else if (HASH_LITTLE_ENDIAN && ((u.i & 0x1) == 0)) { + const uint16_t *k = (const uint16_t *) key; /* read 16-bit chunks */ + const uint8_t *k8; + + /*--------------- all but last block: aligned reads and different mixing */ + while (length > 12) + { + a += k[0] + (((uint32_t) k[1])<<16); + b += k[2] + (((uint32_t) k[3])<<16); + c += k[4] + (((uint32_t) k[5])<<16); + mix(a, b, c); + length -= 12; + k += 6; + } + + /*----------------------------- handle the last (probably partial) block */ + k8 = (const uint8_t *) k; + switch(length) + { + case 12: c+=k[4]+(((uint32_t) k[5])<<16); + b+=k[2]+(((uint32_t) k[3])<<16); + a+=k[0]+(((uint32_t) k[1])<<16); + break; + case 11: c+=((uint32_t) k8[10])<<16; /* fall through */ + case 10: c+=k[4]; + b+=k[2]+(((uint32_t) k[3])<<16); + a+=k[0]+(((uint32_t) k[1])<<16); + break; + case 9 : c+=k8[8]; /* fall through */ + case 8 : b+=k[2]+(((uint32_t) k[3])<<16); + a+=k[0]+(((uint32_t) k[1])<<16); + break; + case 7 : b+=((uint32_t) k8[6])<<16; /* fall through */ + case 6 : b+=k[2]; + a+=k[0]+(((uint32_t) k[1])<<16); + break; + case 5 : b+=k8[4]; /* fall through */ + case 4 : a+=k[0]+(((uint32_t) k[1])<<16); + break; + case 3 : a+=((uint32_t) k8[2])<<16; /* fall through */ + case 2 : a+=k[0]; + break; + case 1 : a+=k8[0]; + break; + case 0 : return c; /* zero length requires no mixing */ + } + + } else { /* need to read the key one byte at a time */ + const uint8_t *k = (const uint8_t *)key; + + /*--------------- all but the last block: affect some 32 bits of (a, b, c) */ + while (length > 12) { + a += k[0]; + a += ((uint32_t) k[1])<<8; + a += ((uint32_t) k[2])<<16; + a += ((uint32_t) k[3])<<24; + b += k[4]; + b += ((uint32_t) k[5])<<8; + b += ((uint32_t) k[6])<<16; + b += ((uint32_t) k[7])<<24; + c += k[8]; + c += ((uint32_t) k[9])<<8; + c += ((uint32_t) k[10])<<16; + c += ((uint32_t) k[11])<<24; + mix(a,b,c); + length -= 12; + k += 12; + } + + /*-------------------------------- last block: affect all 32 bits of (c) */ + switch (length) { /* all the case statements fall through */ + case 12: c+=((uint32_t) k[11])<<24; + case 11: c+=((uint32_t) k[10])<<16; + case 10: c+=((uint32_t) k[9])<<8; + case 9 : c+=k[8]; + case 8 : b+=((uint32_t) k[7])<<24; + case 7 : b+=((uint32_t) k[6])<<16; + case 6 : b+=((uint32_t) k[5])<<8; + case 5 : b+=k[4]; + case 4 : a+=((uint32_t) k[3])<<24; + case 3 : a+=((uint32_t) k[2])<<16; + case 2 : a+=((uint32_t) k[1])<<8; + case 1 : a+=k[0]; + break; + case 0 : return c; + } + } + + final(a, b, c); + return c; +} + +static inline +uint32_t jhash(const void *key, size_t length, uint32_t seed) +{ + return hashlittle(key, length, seed); +} + +#endif /* _JHASH_H */ diff --git a/libportseal/portseal.c b/libportseal/portseal.c new file mode 100644 index 0000000..f9523c6 --- /dev/null +++ b/libportseal/portseal.c @@ -0,0 +1,271 @@ +#define _GNU_SOURCE +#include <dlfcn.h> +#include <errno.h> +#include <error.h> +#include <execinfo.h> +#include <fcntl.h> +#include <hurd.h> +#include <mach.h> +#include <malloc.h> +#include <stdint.h> +#include <stdio.h> +#include <time.h> + +#include <urcu.h> /* RCU flavor */ +#include <urcu/rcuhlist.h> /* RCU hlist */ +#include <urcu/rculfhash.h> /* RCU Lock-free hash table */ +#include <urcu/compiler.h> /* For CAA_ARRAY_SIZE */ +#include "jhash.h" /* Example hash function */ + +#include "portseal.h" + +#if 0 +# define TRACE(X...) error(0, 0, X) +#else +# define TRACE(X...) +#endif + +#define PORTSEAL_PORTS_SIZE 1000 +int ports[PORTSEAL_PORTS_SIZE]; + +struct object { + struct cds_lfht_node node; /* Chaining in hash table */ + struct rcu_head rcu_head; /* For call_rcu() */ + struct cds_hlist_head ports; + unsigned long addr; + size_t size; +}; + +struct port { + mach_port_t *p; + struct cds_hlist_node node; /* Linked-list chaining */ +}; + +static uint32_t portseal_seed; +static struct cds_lfht *portseal_object_hash; +static int portseal_is_initialized; + +/* Reference counting. */ +void +portseal_increment (mach_port_t p) +{ + if (! MACH_PORT_VALID (p)) + return; + + if (p >= PORTSEAL_PORTS_SIZE) + { + TRACE ("port name %d >= PORTSEAL_PORTS_SIZE", (int) p); + return; + } + + TRACE ("portseal_increment (%d)", (int) p); + __atomic_add_fetch (&ports[p], 1, __ATOMIC_RELAXED); +} + +static char *mach_port_right_str[] = + { + "send", + "receive", + "send-once", + "port-set", + "dead-name", + }; + +static void +portseal_dec (mach_port_t p) +{ + if (! MACH_PORT_VALID (p)) + return; + + if (p >= PORTSEAL_PORTS_SIZE) + { + TRACE ("port name %d >= PORTSEAL_PORTS_SIZE", (int) p); + return; + } + + int c = __atomic_sub_fetch (&ports[p], 1, __ATOMIC_RELAXED); + TRACE ("portseal_decrement (%d) to %d", (int) p, c); + if (c > 0) + return; + + /* check hurd ports */ + for (int i = 0; i < INIT_PORT_MAX; i++) + if (HURD_PORT_USE (&_hurd_ports[i], port == p)) + /* the libc has a reference, it's fine */ + return; + + error_t err = 0; + mach_port_urefs_t refs; + mach_port_right_t typ; + + for (typ = MACH_PORT_RIGHT_SEND; + typ < MACH_PORT_RIGHT_NUMBER; + typ++) + { + err = mach_port_get_refs (mach_task_self (), + p, + typ, + &refs); + if (err) + goto out; + if (refs) + goto leak; + } + + out: + if (err && err != KERN_INVALID_NAME) + error (0, err, "error in portseal_check_leak"); + return; + + leak: + error (0, 0, "leaked %s right %d", mach_port_right_str[typ], (int) p); + void *array[20]; + size_t size; + size = backtrace (array, 20); + backtrace_symbols_fd (&array[2], size - 2, 2); +} + +/* Used as cleanup function when variables with storage class auto, + i.e. variables residing on the stack. */ +void +portseal_decrement_p (mach_port_t *p) +{ + portseal_dec (*p); +} + +void +portseal_decrement (mach_port_t p) +{ + portseal_dec (p); +} + +/* Used to wrap port assignments. */ +mach_port_t +portseal_set_port (mach_port_t *p, mach_port_t new) +{ + portseal_dec (*p); + + if (! MACH_PORT_VALID (new)) + goto out; + + portseal_increment (new); + + struct object *o = NULL, *node; + struct cds_lfht_iter iter; + rcu_read_lock(); + cds_lfht_for_each_entry (portseal_object_hash, &iter, node, node) + if ((unsigned long) node->addr <= (unsigned long) p + && (unsigned long) p < (unsigned long) node->addr + node->size) + { + o = node; + break; + } + rcu_read_unlock(); + + if (o != NULL) { + TRACE ("set port in object %p", (void *) o->addr); + struct port *port = malloc (sizeof *port); + if (port) { + port->p = p; + cds_hlist_add_head_rcu (&port->node, &o->ports); + } + } + + out: + return new; +} + +/* Memory management. */ +void * +portseal_malloc (size_t size) +{ + struct object *o; + posix_memalign ((void **) &o, 8, size + sizeof (struct object)); + if (! o) + return NULL; + + void *p = o + sizeof (struct object); + + cds_lfht_node_init (&o->node); + CDS_INIT_HLIST_HEAD (&o->ports); + o->addr = (unsigned long) p; + o->size = size; + unsigned long hash = jhash (&p, sizeof p, portseal_seed); + rcu_read_lock (); + cds_lfht_add (portseal_object_hash, hash, &o->node); + rcu_read_unlock (); + + return p; +} + +static void +free_object (struct rcu_head *head) +{ + struct object *node = caa_container_of (head, struct object, rcu_head); + TRACE ("free_object(%p)", node); + free (node); +} + +static int +match (struct cds_lfht_node *ht_node, const void *_key) +{ + struct object *o = + caa_container_of(ht_node, struct object, node); + const unsigned long *key = _key; + + return *key == o->addr; +} + +void +portseal_free (void *p) +{ + TRACE ("free(%p)", p); + + unsigned long hash = jhash (&p, sizeof p, portseal_seed); + rcu_read_lock (); + struct cds_lfht_iter iter; + cds_lfht_lookup (portseal_object_hash, hash, match, &p, &iter); + struct cds_lfht_node *ht_node = cds_lfht_iter_get_node (&iter); + if (ht_node) + { + if (! cds_lfht_del (portseal_object_hash, ht_node)) + { + struct object *del_node = + caa_container_of (ht_node, + struct object, node); + + struct port *port; + struct cds_hlist_node *pos; + cds_hlist_for_each_entry (port, pos, &del_node->ports, node) { + portseal_decrement (*port->p); + *port->p = MACH_PORT_NULL; + free (port); + } + + call_rcu (&del_node->rcu_head, free_object); + } + } + rcu_read_unlock (); +} + +/* Initialization and teardown. */ + +static void __attribute__ ((constructor)) +portseal_init () +{ + portseal_object_hash = cds_lfht_new(1, 1, 0, + CDS_LFHT_AUTO_RESIZE | CDS_LFHT_ACCOUNTING, + NULL); + if (! portseal_object_hash) + error (1, errno, "Error allocating hash table"); + + portseal_seed = (uint32_t) time (NULL); + rcu_register_thread (); + + portseal_is_initialized = 1; +} + +static void __attribute__ ((destructor)) +portseal_destroy () { + rcu_unregister_thread (); +} diff --git a/libportseal/portseal.h b/libportseal/portseal.h new file mode 100644 index 0000000..5ad06b0 --- /dev/null +++ b/libportseal/portseal.h @@ -0,0 +1,73 @@ +#ifndef __PORTSEAL__ +#define __PORTSEAL__ + +#define _GNU_SOURCE +#include <mach.h> +#include <stddef.h> + +extern int ports[]; + +void *portseal_malloc (size_t) __attribute__ ((malloc)); +void portseal_free (void *); + +mach_port_t portseal_set_port (mach_port_t *, mach_port_t); +void portseal_decrement (mach_port_t); +void portseal_decrement_p (mach_port_t*); +void portseal_increment (mach_port_t); + +#define PORTSEAL_CLEANUP(T, I, V) \ + __attribute__ ((cleanup (portseal_decrement_p))) T I = V +#define PORTSEAL_CLEANUP_I(T, I, V, E) \ + __attribute__ ((cleanup (portseal_decrement_p))) T I = V; \ + portseal_set_port (&I, E) + +#define PORTSEAL_WRAP(F, P) \ + ({ \ + mach_port_t *_p = (P); \ + mach_port_t _old = *_p; \ + (F); \ + mach_port_t _new = *_p; \ + if (_old != _new) \ + { \ + portseal_decrement (_old); \ + portseal_increment (_new); \ + } \ + }) + +#define GCC_VERSION (__GNUC__ * 10000 \ + + __GNUC_MINOR__ * 100 \ + + __GNUC_PATCHLEVEL__) + +/* Test for GCC >= 34.9 */ +#if GCC_VERSION >= 40900 +/* use __auto_type */ +#define PORTSEAL_WRAP_R(F, P) \ + ({ \ + mach_port_t *_p = (P); \ + mach_port_t _old = *_p; \ + __auto_type _result = (F); \ + mach_port_t _new = *_p; \ + if (_old != _new) \ + { \ + portseal_decrement (_old); \ + portseal_increment (_new); \ + } \ + _result; \ + }) +#else +#define PORTSEAL_WRAP_R(F, P) \ + ({ \ + mach_port_t *_p = (P); \ + mach_port_t _old = *_p; \ + typeof (F) _result = (F); \ + mach_port_t _new = *_p; \ + if (_old != _new) \ + { \ + portseal_decrement (_old); \ + portseal_increment (_new); \ + } \ + _result; \ + }) +#endif + +#endif /* __PORTSEAL__ */ diff --git a/share/portseal/portseal.cocci b/share/portseal/portseal.cocci new file mode 100644 index 0000000..de1aeee --- /dev/null +++ b/share/portseal/portseal.cocci @@ -0,0 +1,117 @@ +@dec@ +identifier I; +@@ +mach_port_t I; + +@ptrdec@ +identifier I; +@@ +mach_port_t *I; + +@ptrarg@ +identifier F, I; +@@ +F (..., mach_port_t *I, ...) { ... } + +@@ +identifier dec.I; +expression E; +@@ +-I = E ++I = portseal_set_port (&I, E) + +/* The wrap hacks. */ + +/* ... with return values. */ +@@ +identifier R, dec.I; +identifier F !~ "^portseal_"; +position p; +@@ +R = F@p(..., +- &I ++ PORTSEAL_WRAP_HACK_R (&I) +, ...) + +@@ +identifier R, ptrdec.I; +identifier F !~ "^portseal_"; +position p; +@@ +R = F@p(..., +- I ++ PORTSEAL_WRAP_HACK_R (I) +, ...) + +/* ... without return values. */ +@@ +identifier dec.I; +identifier F !~ "^portseal_"; +position p; +@@ +F@p(..., +- &I ++ PORTSEAL_WRAP_HACK (&I) +, ...); + +@@ +identifier ptrdec.I; +identifier F !~ "^portseal_"; +position p; +@@ +F@p(..., +- I ++ PORTSEAL_WRAP_HACK (I) +, ...); + +@@ +identifier F, I; +expression E; +@@ + +F (..., + mach_port_t *I, + ...) +{ +<... +- *I = E ++ *I = portseal_set_port (I, E) +...> +} + + +@@ +identifier I; +@@ +{ +<... +- mach_port_t I; ++ PORTSEAL_CLEANUP (mach_port_t, I, MACH_PORT_NULL); +...> +} + +@@ +identifier I; +expression E; +@@ +{ +<... +- mach_port_t I = E; ++ PORTSEAL_CLEANUP_I (mach_port_t, I, MACH_PORT_NULL, E); +...> +} + + + + +@@ +expression E; +@@ +- malloc (E) ++ portseal_malloc (E) + +@@ +expression E; +@@ +- free (E) ++ portseal_free (E) diff --git a/test/Makefile b/test/Makefile new file mode 100644 index 0000000..7fe7cbf --- /dev/null +++ b/test/Makefile @@ -0,0 +1,8 @@ +CFLAGS += -std=gnu99 -ggdb +LDFLAGS = + +all: test + +.PHONY: clean +clean: + rm -f -- *.o test diff --git a/test/test.c b/test/test.c new file mode 100644 index 0000000..b3012d7 --- /dev/null +++ b/test/test.c @@ -0,0 +1,102 @@ +#define _GNU_SOURCE +#include <errno.h> +#include <error.h> +#include <fcntl.h> +#include <hurd.h> +#include <mach.h> +#include <stdio.h> + +void +dosth (void) +{ + mach_port_t foo; + mach_port_t bar = MACH_PORT_DEAD; + + foo = file_name_lookup ("/dev", O_NOTRANS, 0); + if (! MACH_PORT_VALID (foo)) + error (1, errno, "file_name_lookup"); + + fprintf (stderr, "dosth looked up %d\n", foo); +} + +void +donothing (mach_port_t *p) +{ +} + +void +dosthelse (mach_port_t *p) +{ + *p = file_name_lookup ("/bin", O_NOTRANS, 0); + if (! MACH_PORT_VALID (*p)) + error (1, errno, "file_name_lookup"); + + fprintf (stderr, "dosthelse looked up %d\n", *p); + donothing (p); +} + +mach_port_t some_port; +mach_port_t some_other_port; + +void +dosthglobal (void) +{ + some_port = file_name_lookup ("/sbin", O_NOTRANS, 0); + if (! MACH_PORT_VALID (some_port)) + error (1, errno, "file_name_lookup"); + + fprintf (stderr, "dosthglobal looked up %d\n", some_port); + + some_other_port = some_port; + some_port = MACH_PORT_NULL; +} + +void +doleakreceive (void) +{ + mach_port_t foo; + error_t err = mach_port_allocate (mach_task_self (), + MACH_PORT_RIGHT_RECEIVE, + &foo); + if (err) + error (1, errno, "mach_port_allocate"); + + fprintf (stderr, "allocated receive port %d\n", foo); +} + +void +dolookupcwd (void) +{ + mach_port_t foo; + foo = getcwdir (); + if (! MACH_PORT_VALID (foo)) + error (1, errno, "file_name_lookup"); + + fprintf (stderr, "dolookupcwd looked up %d\n", foo); +} + +void +gopinniped (void) +{ + mach_port_deallocate (mach_task_self (), 12345); + mach_port_destroy (mach_task_self (), 54321); +} + +int +main () +{ + dosth (); + + mach_port_t *p = malloc (sizeof *p); + dosthelse (p); + free (p); + + dosthglobal (); + some_other_port = MACH_PORT_NULL; + + doleakreceive (); + dolookupcwd (); + gopinniped (); + + return 0; +} |